Please help us continue to provide you with free, quality journalism by turning off your ad blocker on our site.

Thank you for signing in.

If this is your first time registering, please check your inbox for more information about the benefits of your Forbes account and what you can do next!

I agree to receive occasional updates and announcements about Forbes products and services. You may opt out at any time.

I'd like to receive the Forbes Daily Dozen newsletter to get the top 12 headlines every morning.

Forbes takes privacy seriously and is committed to transparency. We will never share your email address with third parties without your permission. By signing in, you are indicating that you accept our Terms of Service and Privacy Statement.

New Critical Security Flaws Affect All Windows Versions, Millions Of Users At Risk -- Update Now

A Google security researcher revealed today that several critical security flaws have been affecting... [+] all Windows machines for the past 20 years, allowing cybercriminals to hijack Microsoft's operating system. (Photo by Sean Gallup)

Getty

Update: Microsoft replied to our inquiry on the new Windows vulnerabilities and I've updated the story with their response.

This is the nightmare scenario for system administrators around the world: Several severe security flaws affecting all Windows versions since Windows XP have just been made public today and Microsoft has barely released the appropriate security update which took 90 days—which is the common disclosure window before vulnerabilities are made public—to develop.

It’s a now a race against the clock for IT administrators around the world to make sure that all their company’s Windows machines—that can be numbered in the tens of thousands—are updated before hackers exploit the vulnerability.

In a report this morning, Google security researcher Tavis Ormandy revealed several critical design flaws in a little know module (dubbed CTF) that is inside the Windows kernel—which is part of the Text Services Framework (TSF) that manages things like input methods, keyboard layouts, text processing and so on— since Windows XP.

“It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed,” said Ormandy who’s part of Google's Project Zero elite security team.

In a nutshell, the newly found vulnerabilities allow an attacker to remotely take control of a Windows machine.

Below is a video that shows how an attacker can gain administrative privileges on Windows using Ormandy's discovery.

Atherton Research Insights

The first thing that surprised us in this latest Windows vulnerability alert was that there was no security access control in place in CTF, letting an attacker without any special system privilege easily take over remotely any Windows application and even the machine running Microsoft's operating system.

The second surprise was how slow Microsoft was in responding to Ormandy's discovery. According to the Google security researcher, it took more than a month for Microsoft to get back to him after he shared his discovery with the software giant.

"We're approaching the 30-day mark, and Microsoft still haven't confirmed the bug," wrote Ormandy.

And less than two weeks before Ormandy planned to publicly release these critical vulnerabilities, Microsoft was still asking for more details about the exploit.

I've reached out to Microsoft's "rapid response team" about these vulnerabilities and here below is the company's official statement:

We resolved issues related to CVE-2019-1162, in August [which was only one the vulnerabilities discovered by Ormandy]

However, the Redmond, Washington-based technology giant admitted that the other items disclosed by Google Project Zero will require more time to address and that they are working to resolve those according to Microsoft's "normal Update Tuesday process."

Certainly, system administrators around the world expected more from the trillion dollars company.

Jean Baptiste "Jeb" Su is Principal Analyst and Technology Futurist at Atherton Technology Research, a global strategy and intelligence consultancy firm located in Silicon Valley, advising clients plan, build and deliver successful go-to-market strategies. Prior to joining Atherton Research, Jeb was an award-winning journalist covering for 25+ years the Business of Technology (B2B and B2C) since the early 1990s at IDG Communications, Vivendi Universal Publishing, LVMH, Roularta Media and most recently FORBES. A passionate of all things tech, Jeb earned a BSc (Hns) in Computing for Real-Time Systems from Bristol Polytechnic (UK) and built his first computer at the age of 7.